Microsoft Forefront TechCenter >

Forefront Forums >

Read Only - Forefront Edge Security Virtual Private Networks >

VPN connection kills RRAS

VPN connection kills RRAS

Wednesday, July 21, 2010 8:18 PM

0

OK here goes, I have installed EBS and all seems to be working, but the VPN. At this point I can establish a VPN connection, after a few tries and obtain an IP from the DHCP server. This is where is get hard, once I establish the connection I loose all internet connectivity to the Domain, still have Internet from the security server, and no routing on the VPN client. I then need to restart the RRAS on the security server to restore Internet access to the Domain. Config WGFW>XXX.XXX.2.XX>SECSERVER>XXX.XXX.0.XXX>DOMAIN

what you think?

All Replies

Friday, July 23, 2010 4:58 AM

Owner

0

Can you try a static pool instead of DHCP for VPN clients?

When you make VPN connection , can you check what address the proxy server name resolves to for Domain clients?

If your Browser proxy setting uses Security server's name , verify what name is resolves to from the proxy clients. Does it resolve to first IP of VPN pool?

Bala Natarajan [MSFT]| Sr. Support Escalation Engineer | CSS Security
Friday, July 23, 2010 2:37 PM

0

I think you misunderstand. My VPN connection connects, obtains the DHCP address, and ALLL connectivity include my network domain will not route. In order for my internal machines to route to the INTERNET I need to restart RRAS. This does 2 things kills the VPN connection and resets to allow INTERNET traffic to the outside world for my Domain users. So in short when I establish a VPN connection all routing breaks.

On the VPN client I have no connectivity either.

Thanks

Tom D
Tuesday, July 27, 2010 9:37 PM

0

Hi Tom,

Let's break it down a little bit. If i understand correctly:

1. You're able to connect VPN from an external client successfully

2. External client can't access internal resources and has no VPN routes

3. Internal machines (Internal to TMG/EBS) loose connectivity to internet at this time

4. Restarting RRAS restores internet connectivity for internal clients

Please let me know in case we missed anything.

Thank You,

Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
Wednesday, July 28, 2010 2:20 PM

0

yes, this is exactly the case
Thursday, July 29, 2010 6:31 PM

0
Hi Tom,

Thanks for confirming my understanding of the issue. If internal clients are Web Proxy clients, please turn off “Automatically detect settings” and “Use automatic configuration script” in IE and enable "Use a proxy server for your LAN" to point the internal clients manually or via a GPO to the IP address or the name of the Security Server. In case the internal clients have Firewall Client/Forefront TMG Client installed, please turn off "Enable Web browser automatic configuration" in the Firewall Client configuration on the client machine.

After the above has been done, connect the VPN client again and check if the internal clients can access internet. Also, test if your VPN client can access internal resources.

Thank You,

Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
- Marked As Answer by Nick Gu - MSFTMicrosoft Contingent Staff, Moderator Monday, August 02, 2010 8:46 AM
- Unmarked As Answer by Tom Davis Monday, August 02, 2010 11:58 AM
Monday, August 02, 2010 12:01 PM

0

I have no web proxy on the inside, no Firewalls on the test machines turned on. With all this not on I still kill internal LAN when connecting from the EBS TMG, and I still am unable to route internal or external when a connection is established VPN.
Wednesday, August 04, 2010 10:23 PM

0
If the internal clients are not Web Proxy or Firewall clients, i'm assuming that they're pointing to the Security Server for Default Gateway. If that's the case, please do the following:
1. Ensure that Default Gateway is configured only on the external interface of the Security Server
2. Connect VPN from the external client
3. Collect a network capture from an internal client while trying to access internet and check if it gets any response from the Security Server (check for both TCP and HTTP responses)
4. Check routing table on Security Server at this time and ensure that the default route is listed correctly
If the above doesn't reveal the root cause of this issue, we may need to get some data (Network Captures, BPA etc).
Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
Thursday, August 05, 2010 12:39 PM

0

thanks for the update and let me validate a few settings

Security server

ext xxx.xxx.4.2

GW xxx.xxx.4.1

Internal xxx.xxx.0.1

GW None

All IPV6 unchecked (other MS tech uncheck these, not sure if this is needed or not)

XP VPN client set to external Firewall rule that I NAT to xxx.xxx.4.2, VPN type automatic
Monday, August 09, 2010 3:44 PM

0

IPV6 needs to remain enabled,...even if not used.

--
Phillip Windell

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

"Tom Davis" <=?utf-8?B?VG9tIERhdmlz?=> wrote in message news:5b48e2d4-bbc5-4cc3-84a2-62d1a06f080d...

thanks for the update and let me validate a few settings

Security server

ext xxx.xxx.4.2

GW xxx.xxx.4.1

Internal xxx.xxx.0.1

GW None

All IPV6 unchecked (other MS tech uncheck these, not sure if this is needed or not)

XP VPN client set to external Firewall rule that I NAT to xxx.xxx.4.2, VPN type automatic
Monday, August 09, 2010 7:09 PM

0

Hi Tom,

Thanks for the information. Your configuration looks good from what i see in your response. Were you able to check the routing table and the network captures?

Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
Tuesday, August 10, 2010 11:29 AM

0

I was not able to check things out yet, that is my plan for this week. I assume we will need to gather some data, this has really been a pain since the install of EBS.
Wednesday, August 25, 2010 12:16 AM

0

Hi Tom,

Any update on this?
Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
Thursday, August 26, 2010 12:37 AM

0

Mohit,

thanks for the follow up, I am going to run the capture tomorow morning. I will post my results
Thursday, August 26, 2010 12:01 PM

0

OK, here is what I have done

I connected to the VPN using PPTP from outside our network. Once the connection was made I lost all connection to the WWW from the inside, Security server still had WWW access. The systems and routes all look OK, from here. I do have a capture before, after and during, of both inside and security server, including route tables of each.

I could send these
Tuesday, August 31, 2010 8:35 PM

0

Hi Tom,

Please zip the captures and the routing table output and send them to me at mohitku@microsoft.com. Please include the relevant IP addresses (Internal machine used for testing, VPN client, Security Server etc) in your email.
Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
Tuesday, September 14, 2010 10:04 PM

0

Hi Tom,

I haven't received the data yet. Any further updates?
Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
Wednesday, September 15, 2010 4:44 PM

0

I sent the data in a 10 MB zip format on 8/31 can your email accept that size?
Friday, October 15, 2010 8:09 PM

0
Per my discussion with Tom, he'll be opening a support case to pursue this further.
Mohit Kumar [MSFT]| Sr. Support Escalation Engineer| CSS Security
- Proposed As Answer by Mohit Kumar [MSFT] Friday, October 15, 2010 11:50 PM

Frequently asked questions - Forums help